Anyone with a credit or debit card in the US has likely been affected by security breaches. One of the largest, Target’s security breach in 2014, experienced losses that reportedly affected more than 70 million consumers. Since then other retail and fast food outlets like Home Depot, Wal-Mart, Dairy Queen, and Chick-fil-A have experienced similar data breaches. Since information like the cardholder’s name, Primary Account Number (PAN), and four digit PIN is electronically stored in the magnetic stripe, that captured data can be duplicated onto other fictitious cards or used to make online purchases. The thieves can simply sell the stolen card data to other thieves as well. At issue is the merchant’s failure to follow security protocols established by the credit card companies to ensure the safekeeping and safe transfer of information.
The Payment Card Industry Data Security Standard (PCI DSS) is a self-imposed information security protocol for merchants and companies that execute credit card transactions. PCI DSS emerged in 2004 by cooperative agreements with MasterCard and Visa. Today, the PCI Security Council is comprised of the major credit cards including MasterCard, Visa, American Express, and Discover. The PCI Security Council developed the Data Security Standard to safeguard the storage and transfer of credit card data. Proprietary cards, such as some fuel cards from oil companies, convenience stores, and truck stops, are not part of a major card network and therefore not included in the scope of the PCI DSS. However, many of these same protocols could, and should, be followed by the merchant regardless of the card data they are handling.
PCI DSS was developed to reduce or eliminate credit card fraud risk by establishing 12 key areas of control measures. For large companies who handle volumes of credit card data, these controls are examined annually by an external expert Qualified Security Assessor (QSA). Smaller companies must complete a Self-Assessment Questionnaire (SAQ) to remain compliant. Within the 12 key focus areas, sub-categories exist to maintain requirements for PCI DSS compliance. Technological as well as physical measures make up the categories that ultimately serve as a redundant measure of security to the credit card data’s integrity.
Many of the PCI DSS protocols were not followed or simply ignored in every major security breach. Merchant’s failed by retaining credit card data and even when retained, merchant’s failed to encrypt the data, both measures that could have prevented a security breach by following PCI DSS.
More importantly, the merchant’s losses from credit card fraud exceeded $190 billion, according to an information security industry provider, LexisNexis. Losses that can be traced back to the merchant’s own lack of controls. The reality now is if a company who relies on credit card payments, they will have to take measures to protect the credit card data or face potential lost business, consumer confidence, and fines.
Until more merchants adopt the PCI DSS protocols, the best remedy by a cardholder against security breach intrusions is to quickly request a new credit card from your financial institution once a breach is learned where the card was previously processed. This will effectively change the PAN of the card and render the previous card null and void of any liability to the cardholder. 360fuelcard.com offers free replacement credit cards in the event of loss or theft. A protective and cost effective solution.